Created
August 4, 2015 18:41
-
-
Save gdestuynder/764274f87371590ac0ae to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Note: this script uses generic exception catching with no traceback logging for file operations. | |
| # Note: this is to be superseded by MIG | |
| # | |
| # This Source Code Form is subject to the terms of the Mozilla Public | |
| # License, v. 2.0. If a copy of the MPL was not distributed with this | |
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | |
| # Copyright (c) 2012 [email protected] | |
| import os | |
| import sys | |
| import fnmatch | |
| import re | |
| import syslog | |
| WALK=['/home/', '/root/'] | |
| FNCHECK={'SQL': 'public_html/*.sql', | |
| 'Generic DB': '*public_html/*.db', | |
| 'SQL Dump': '*public_html/*.dump', | |
| 'Password TXT': 'password*.txt', | |
| 'Password HTML': 'password*.htm*', | |
| 'Password DOC': 'password*.doc*', | |
| 'Passwords': 'passwords', | |
| 'Putty SSH key': '*.ppk', | |
| 'Logs': 'public_html/*log', | |
| 'Key': '*.key', | |
| 'AWS S3': 's3user.txt', | |
| 'AWS Credentials': 'mozilla-aws-creds.txt', | |
| } | |
| WHITELIST=[] | |
| GENERIC_DIR_WHITELIST=[] | |
| GENERIC_FILE_WHITELIST=['Thumbs.db'] | |
| LOG_PATTERN = re.compile('Sync Key', re.MULTILINE) | |
| KEY_PATTERN = re.compile('PRIVATE KEY') | |
| FACILITY=syslog.LOG_LOCAL4 | |
| NODENAME=os.uname()[1] | |
| def chk_key(path): | |
| try: | |
| fd = open(path, 'rb') | |
| data = ' ' | |
| while data != '': | |
| data = fd.read(8192) | |
| if (LOG_PATTERN.findall(data)): | |
| fd.close() | |
| return True | |
| fd.close() | |
| except: | |
| return False | |
| return False | |
| def chk_log(path): | |
| try: | |
| fd = open(path, 'rb') | |
| #just check the start of the file | |
| data = fd.read(8192) | |
| if (KEY_PATTERN.findall(data)): | |
| fd.close() | |
| return True | |
| fd.close() | |
| except: | |
| return False | |
| return False | |
| def chk_ssh(path): | |
| try: | |
| fd = open(path, 'rb') | |
| except: | |
| return False | |
| for line in fd.readlines(): | |
| if fnmatch.fnmatch(line, '*PRIVATE KEY*'): | |
| return True | |
| return False | |
| def chk_gpg(path): | |
| try: | |
| if os.path.getsize(path) != 0: | |
| return True | |
| except: | |
| return False | |
| return False | |
| def cef(p, t, msg): | |
| if p in WHITELIST: | |
| return | |
| cefmsg = 'CEF:0|Mozilla|Host Scanner|1.0|SensitiveFiles|'+msg+'|5|cs1Label=Path cs1='+p+' cs2Label=Type cs2='+t+' dhost='+NODENAME | |
| syslog.syslog(syslog.LOG_INFO, cefmsg) | |
| # print cefmsg | |
| def scan(): | |
| for w in WALK: | |
| for root, dirs, files in os.walk(w): | |
| skip=0 | |
| for pat in GENERIC_DIR_WHITELIST: | |
| if fnmatch.fnmatch(root, pat): | |
| skip=1 | |
| if skip == 1: continue | |
| #SSH | |
| if (fnmatch.fnmatch(root, "*ssh")): | |
| for f in files: | |
| cur = root+"/"+f | |
| if chk_ssh(cur): | |
| cef(cur, 'SSH', "SSH private key found") | |
| #GPG | |
| if (fnmatch.fnmatch(root, "*gnupg")): | |
| if chk_gpg(root+"/secring.gpg"): | |
| cef(root+"/secring.gpg", 'GPG', "GnuPG secret keyring found") | |
| #Filenames | |
| for i in FNCHECK: | |
| ret = fnmatch.filter(files, FNCHECK[i]) | |
| if (ret != None): | |
| for r in ret: | |
| if r in GENERIC_FILE_WHITELIST: | |
| continue | |
| if (fnmatch.fnmatch(r, "*.log")): | |
| if not chk_log(root+'/'+r): | |
| continue | |
| if (fnmatch.fnmatch(r, "*.key")): | |
| if not chk_key(root+'/'+r): | |
| continue | |
| cef(root+'/'+r, i, 'Sensitive filename found') | |
| if __name__ == "__main__": | |
| syslog.openlog('HostScanner', 0, FACILITY) | |
| scan() | |
| syslog.closelog() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment